APNIC Home APNIC Home
Info & FAQ |  Resource services |  Training |  Meetings |  Membership |  Documents |  Whois & Search |  Internet community

You're here:  Home  Mailing Lists apnic-talk 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [apnic-talk] NICs and Egress filtering?

thanks for the reply -- comments below

Joe Abley wrote:
> 
> On Mon, Jan 08, 2001 at 11:06:08AM +1030, Phil Crooker wrote:
> > Hi,
> >
> > I look after Internet security for our company and have often wondered
> > ....
> >
> > Considering how important egress filtering of spoofed IP addresses in
> > preventing Distributed Denial Of Service attacks, I was wondering
> > whether APNIC and the other NICs have considered requiring IP address
> > holders to apply egress filters on their boundary routers?
> 
> I think the more usual place to apply filters to catch spoofing is
> on the ingress to your network, on the customer-facing circuit.
> Packet filtering is frequently expensive, which is a good reason
> to push it out to the edge.
> 

An egress filter prevents spoofed addresses entering the Internet from
that router -- say I'm an ISP with clients that have compromised PC with
a DDOS program; an egress filter will prevent those packets with spoofed
source IP addresses from leaving my router. 

> > It seems to me the major NICs are about the only body that have the
> > where-with-all to enforce these filters.
> 
> How would they enforce them?

No filter, no route your network of course! The technical difficulty as
I see it would be to test for this externally to the router with the
filter -- I don't know enough about IP to know if it is possible.

-- 

Phil Crooker            ORIX Australia       		61 8 8443 6844
UNIX SysAdmin 		pcrooker@orix.com.au		61 8 8443 6955 (fax)

*              APNIC-TALK: General APNIC Discussion List             *
* To unsubscribe: send "unsubscribe" to apnic-talk-request@apnic.net *